An error occurred:

Check: RHEL-06-000511

Red Hat Enterprise Linux 6 STIG: RHEL-06-000511 (in versions v2 r2 through v1 r14)

Title

The audit system must take appropriate action when there are disk errors on the audit storage volume. (Cat II impact)

Discussion

Taking appropriate action in case of disk errors will minimize the possibility of losing audit records.

Check Content

Inspect "/etc/audit/auditd.conf" and locate the following line to determine if the system is configured to take appropriate action when disk errors occur: # grep disk_error_action /etc/audit/auditd.conf disk_error_action = [ACTION] If the system is configured to "suspend" when disk errors occur or "ignore" them, this is a finding.

Fix Text

Edit the file "/etc/audit/auditd.conf". Modify the following line, substituting [ACTION] appropriately: disk_error_action = [ACTION] Possible values for [ACTION] are described in the "auditd.conf" man page. These include: "ignore" "syslog" "exec" "suspend" "single" "halt" Set this to "syslog", "exec", "single", or "halt".

Additional Identifiers

Rule ID: SV-218094r603264_rule

Vulnerability ID: V-218094

Group Title: SRG-OS-000047

Expert Comments

Expert comments are only available to logged-in users.

CCIs

CCIs tied to check.
Number Definition
CCI-000140

Take organization-defined actions upon audit failure include, shutting down the system, overwriting oldest audit records, and stopping the generation of audit records.

Controls

Controls tied to check. These are derived from the CCIs shown above.
Number Title
AU-5

Response to Audit Processing Failures